12/03/2007 @ 5:18PM

Google's War On Cyber-Crime

“Don’t be evil” isn’t just
Google
‘s corporate mantra. Lately, the search giant has also applied its moral code to real evildoers: Web sites that use shady software to exploit unwitting searchers.

Over several days last week, Google
removed thousands of pages from its search results that security software maker Sunbelt Software discovered were secretly infecting users with hidden malicious programs.

In a blog post on Tampa, Fla.-based Sunbelt’s site last Monday, company researcher Adam Thomas revealed that search terms as seemingly innocuous as “how to train a dog to fetch” and “hospice” were returning links to sites hosted on Chinese domains and infected with malware. Users who clicked on the links became vulnerable to programs installed on their computers that were designed to steal bank codes, send spam and engage in click fraud.

The scheme also cannily manipulated Google’s algorithm to drive more users to the malware-hosting sites. Since Google ranks results based on the number of Web pages that link to them, cyber-criminals added thousands of links to their pages on forums and blog comment sections around the Web, pushing their pages to the top of the search engine’s results.

For its part, Mountain View, Calif.-based Google was quick to scrub its search results following Sunbelt’s blog post. Google removed the offending pages from the search engine’s index Tuesday and added them to a malware blacklist that the company has been assembling since it began incorporating security measures in its search filters a year and a half ago.

But despite the initial cleanup, malware pages soon crept back into search results and had to be banned again, says Thomas. That’s a sign that the malware writers may be an ongoing problem for the search engine. Google “did an excellent job of cleaning out the links to malware sites the night after we told them about it,” Thomas says. “But by the next morning, bad guys had taken over again. Until they can tweak their algorithm to find this stuff effectively, it’s going to be a continuing problem.”

The Web-based malware problem isn’t unique to Google, Thomas adds. “This attack was targeted at Google. But the attackers at any time could shift the floodgates and open up the tide for Yahoo! or [Microsoft's ] Live.”

A Google spokesman responded to the malware incidents with a statement saying that the company’s employees “actively identify sites that serve malware or abuse our quality guidelines in other ways. Sites that exploit browser security holes to install software (such as malware, spyware, viruses, adware and Trojan horses) are in violation of our quality guidelines and may be removed from Google’s index.”

In response to last week’s malware blitz, the search giant also began asking users for help. In a post titled “Help us fill in the gaps!”, Google blogger Ian Fette asked that users report malware sites online at http://www.google.com/safebrowsing/report_badware/.

But Sunbelt’s Thomas is still wary. “This is a good step forward, but I don’t think it can clean up the problem alone,” he says. “I’m sure the attackers are still out there, trying to seed malicious links into Google. I don’t think any small effort is going to stop them.”